Assign an existing User-Assigned Managed Identity to VM from another subscription using Azure Policy
Azure provides a comprehensive list of built-in policy definitions (grouped by the category property defined in the metadata) which are owned and maintained by Microsoft (where the azure-policy repository contains the direct representation of these).
Built-in policy definitions usually cover a specific scenario although some flexibility might be provided through parameters that can be configured. However, customers might have specific needs not covered by an available built-in policy definition and a custom policy definition might be needed.
As a rule of thumb, if there is a built-in policy definition that covers part of a scenario, a custom policy definition can be created based on it introducing the necessary modifications.
Let’s take into consideration the [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines built-in policy definition that creates and assigns a built-in user-assigned managed identity or assigns a pre-created user-assigned managed identity at scale to virtual machines. This currently provides the user-assigned managed identity name and resource group name as parameters expecting that it is on the same subscription as the virtual machine resource. However, in a scenario where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource, a custom policy definition is required.
Before creating a custom policy, it is worth checking both the Azure Policy Samples as well as the Community Policy Repository to see whether a policy definition that matches your needs already exists. Coming back to the user-assigned managed identity assignment to virtual machines where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource scenario, a custom policy definition is available here where the user assigned managed identity resource URI (which contains the subscription ID) is provided as a parameter.
Published on:
Learn moreRelated posts
Automating Business PDFs Using Azure Document Intelligence and Power Automate
In today’s data-driven enterprises, critical business information often arrives in the form of PDFs—bank statements, invoices, policy document...
Azure Developer CLI (azd) Dec 2025 – Extensions Enhancements, Foundry Rebranding, and Azure Pipelines Improvements
This post announces the December release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) Dec 2025 – Extensions En...
Unlock the power of distributed graph databases with JanusGraph and Azure Apache Cassandra
Connecting the Dots: How Graph Databases Drive Innovation In today’s data-rich world, organizations face challenges that go beyond simple tabl...
Azure Boards integration with GitHub Copilot
A few months ago we introduced the Azure Boards integration with GitHub Copilot in private preview. The goal was simple: allow teams to take a...
Microsoft Dataverse – Monitor batch workloads with Azure Monitor Application Insights
We are announcing the ability to monitor batch workload telemetry in Azure Monitor Application Insights for finance and operations apps in Mic...
Copilot Studio: Connect An Azure SQL Database As Knowledge
Copilot Studio can connect to an Azure SQL database and use its structured data as ... The post Copilot Studio: Connect An Azure SQL Database ...
Retirement of Global Personal Access Tokens in Azure DevOps
In the new year, we’ll be retiring the Global Personal Access Token (PAT) type in Azure DevOps. Global PATs allow users to authenticate across...
Azure Cosmos DB vNext Emulator: Query and Observability Enhancements
The Azure Cosmos DB Linux-based vNext emulator (preview) is a local version of the Azure Cosmos DB service that runs as a Docker container on ...